Merge pull request #48935 from CaoShuFeng/NamespaceLifecycle

Automatic merge from submit-queue (batch tested with PRs 48914, 48535, 49099, 48935, 48871) fix NamespaceLifecycle admission forceLiveLookupCache is designed to save recently deleted namespaces. But currently, cluster scoped resources are also put into it. For example, when we run: kubectl delete clusterrole edit The "edit" is put into forceLiveLookupCache as a deleted namespace. This change fix the invalid action. **Release note**: ``` NONE ```
2025-07-29 14:37:00 +00:00 · 2017-07-18 21:04:26 -07:00 · 2017-07-18 21:04:26 -07:00 · 6c7eac2d20
commit 6c7eac2d20
parent b787acecb3 a8693b63b9
2 changed files with 8 additions and 5 deletions
--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle/admission.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle/admission.go
@ -91,10 +91,12 @@ func (l *lifecycle) Admit(a admission.Attributes) error {
 		return errors.NewForbidden(a.GetResource().GroupResource(), a.GetName(), fmt.Errorf("this namespace may not be deleted"))
 	}

-	// if we're here, then we've already passed authentication, so we're allowed to do what we're trying to do
-	// if we're here, then the API server has found a route, which means that if we have a non-empty namespace
-	// its a namespaced resource.
-	if len(a.GetNamespace()) == 0 || a.GetKind().GroupKind() == v1.SchemeGroupVersion.WithKind("Namespace").GroupKind() {
+	// always allow non-namespaced resources
+	if len(a.GetNamespace()) == 0 && a.GetKind().GroupKind() != v1.SchemeGroupVersion.WithKind("Namespace").GroupKind() {
+		return nil
+	}
+
+	if a.GetKind().GroupKind() == v1.SchemeGroupVersion.WithKind("Namespace").GroupKind() {
 		// if a namespace is deleted, we want to prevent all further creates into it
 		// while it is undergoing termination.  to reduce incidences where the cache
 		// is slow to update, we add the namespace into a force live lookup list to ensure
@ -102,6 +104,7 @@ func (l *lifecycle) Admit(a admission.Attributes) error {
 		if a.GetOperation() == admission.Delete {
 			l.forceLiveLookupCache.Add(a.GetName(), true, forceLiveLookupTTL)
 		}
+		// allow all operations to namespaces
 		return nil
 	}

--- a/staging/src/k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle/admission_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle/admission_test.go
@ -251,7 +251,7 @@ func TestAdmissionNamespaceForceLiveLookup(t *testing.T) {
 	getCalls = 0

 	// verify delete of namespace can proceed
-	err = handler.Admit(admission.NewAttributesRecord(nil, nil, v1.SchemeGroupVersion.WithKind("Namespace").GroupKind().WithVersion("version"), "", namespace, v1.Resource("namespaces").WithVersion("version"), "", admission.Delete, nil))
+	err = handler.Admit(admission.NewAttributesRecord(nil, nil, v1.SchemeGroupVersion.WithKind("Namespace").GroupKind().WithVersion("version"), namespace, namespace, v1.Resource("namespaces").WithVersion("version"), "", admission.Delete, nil))
 	if err != nil {
 		t.Errorf("Expected namespace deletion to be allowed")
 	}